[CVE-2022-1183] Destroying TLS stream too early triggers assertion failure
CVE-specific actions
-
Assign a CVE identifier -
Determine CVSS score -
Determine the range of BIND versions affected (including the Subscription Edition) -
Determine whether workarounds for the problem exists -
Create a draft of the security advisory and put the information above in there -
Prepare a detailed description of the problem which should include the following by default: - instructions for reproducing the problem (a system test is good enough)
- explanation of code flow which triggers the problem (a system test is not good enough)
-
Prepare a private merge request containing the following items in separate commits: https://gitlab.isc.org/isc-private/bind9/-/merge_requests/395 - a test for the issue (may be moved to a separate merge request for deferred merging)
- a fix for the issue
- documentation updates (
CHANGES, release notes, anything else applicable)
-
Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions -
Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff -
Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description) -
Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
Release-specific actions
-
Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle -
Reserve a block of CHANGESplaceholders once the complete set of vulnerabilities fixed in a given release cycle is determined -
Ensure the merge requests containing CVE fixes are merged into security-*branches in CVE identifier order
Post-disclosure actions
Reported by Thomas Amgarten to security-officer
As described here https://www.isc.org/reportbug/, I want you to inform about a denial-of-service situation, which is triggered with a simple ssl-scanner from the kali-suite.
Using BIND-9.18.1 and a DoH-configuration like this:
http myserver {
endpoints { "/dns-query"; };
};
options {
listen-on port 443 tls ephemeral http myserver { 127.0.0.1; 10.100.102.21; };
};BIND is compiled with the following options.....
$ named -V
BIND 9.18.1 (Stable Release) <id:1a4e4c2>
running on Linux x86_64 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 20:34:55 UTC 2021
built by make with '--prefix=/usr/local/bind-9.18.1' '--sysconfdir=/opt/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/opt/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--with-json-c' 'PKG_CONFIG_PATH=:/usr/local/libuv/lib/pkgconfig/'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /opt/chroot/bind/etc/named/named.conf
rndc configuration: /opt/chroot/bind/etc/named/rndc.conf
DNSSEC root key: /opt/chroot/bind/etc/named/bind.keys
nsupdate session key: /opt/chroot/bind/var/run/named/session.key
named PID file: /opt/chroot/bind/var/run/named/named.pid
named lock file: /opt/chroot/bind/var/run/named/named.lock....and is started like this:
$ ps -o command -u named
COMMAND
/usr/local/bind/sbin/named -4 -t /opt/chroot/bind -u named -c /etc/named/named.confRunning the following oneliner - where 10.100.102.21 is the IP address of BIND with the enabled DoH-configuration on port TCP-443 - triggers an assertion failure in 99% of all my tries and named stops working:
$ for ((i=1; i<10; i++)); do sslyze 10.100.102.21 & done
17-Mar-2022 14:58:25.213 general: critical: netmgr/netmgr.c:1423: REQUIRE(((*sockp) != ((void *)0) && ((const isc__magic_t *)(*sockp))->magic == ((('N') << 24 | ('M') << 16 | ('S') << 8 | ('K'))))) failed, back trace
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind/sbin/named() [0x41da4d]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc_assertion_failed+0xa) [0x7fa283bf665a]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc___nmsocket_detach+0xc6) [0x7fa283be3e96]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc__nm_put_netievent_connectcb+0x15) [0x7fa283be4425]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x2329f) [0x7fa283be529f]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x239e6) [0x7fa283be59e6]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x24162) [0x7fa283be6162]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/libuv-1.41.0/lib/libuv.so.1(+0x11501) [0x7fa282386501]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/libuv-1.41.0/lib/libuv.so.1(uv__io_poll+0x475) [0x7fa282396de5]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/libuv-1.41.0/lib/libuv.so.1(uv_run+0x104) [0x7fa282386c24]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x23a7f) [0x7fa283be5a7f]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc__trampoline_run+0x15) [0x7fa283c1cf35]
17-Mar-2022 14:58:25.213 general: critical: /lib64/libpthread.so.0(+0x815a) [0x7fa28190b15a]
17-Mar-2022 14:58:25.213 general: critical: /lib64/libc.so.6(clone+0x43) [0x7fa28163add3]
17-Mar-2022 14:58:25.213 general: critical: exiting (due to assertion failure)The patch for 9.18.2: